Further Secure Interaction with Manifest (yaml)

[dnlfdz]

Background

The manifest file is meant to be in the target repo that you want to access. This way, If you are in Repo A and write in Repo B, the repo needs to have the YAML, and Repo A can get a token on the other side.

Proposed Enhancement

For added protection, it would be best to enforce branch protection to prevent modification of the yaml file. If STS is fetching the yaml from the default branch, it should also warn that the file is in a non-protected branch or not fetch if the branch is not protected. While there is some branch protection in the settings, may also want to consider using RUles for apps within the repo. It's best to have a more granular configuration in the settings. Another alternative is to use code owners in addition to branch protection. There is ongoing work by by Chainguard to add a check validating the structure of the yaml file.

P.S Idea from @fproulx in discussion with @mattmoor and @dnlfdz on 2024-05-06.

[fproulx-boostsecurity]

Other option could be to support cryptographic signature of the manifests so that even if they are tampered with it can be detected. But that is quite a bit more complex.